[thirdparty/openssl.git] / test / tls13secretstest.c

/*
 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <openssl/ssl.h>
#include <openssl/evp.h>

#include "../ssl/ssl_local.h"
#include "testutil.h"

#define IVLEN   12
#define KEYLEN  16

/*
 * Based on the test vectors available in:
 * https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06
 */

static unsigned char hs_start_hash[] = {
0xc6, 0xc9, 0x18, 0xad, 0x2f, 0x41, 0x99, 0xd5, 0x59, 0x8e, 0xaf, 0x01, 0x16,
0xcb, 0x7a, 0x5c, 0x2c, 0x14, 0xcb, 0x54, 0x78, 0x12, 0x18, 0x88, 0x8d, 0xb7,
0x03, 0x0d, 0xd5, 0x0d, 0x5e, 0x6d
};

static unsigned char hs_full_hash[] = {
0xf8, 0xc1, 0x9e, 0x8c, 0x77, 0xc0, 0x38, 0x79, 0xbb, 0xc8, 0xeb, 0x6d, 0x56,
0xe0, 0x0d, 0xd5, 0xd8, 0x6e, 0xf5, 0x59, 0x27, 0xee, 0xfc, 0x08, 0xe1, 0xb0,
0x02, 0xb6, 0xec, 0xe0, 0x5d, 0xbf
};

static unsigned char early_secret[] = {
0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
};

static unsigned char ecdhe_secret[] = {
0x81, 0x51, 0xd1, 0x46, 0x4c, 0x1b, 0x55, 0x53, 0x36, 0x23, 0xb9, 0xc2, 0x24,
0x6a, 0x6a, 0x0e, 0x6e, 0x7e, 0x18, 0x50, 0x63, 0xe1, 0x4a, 0xfd, 0xaf, 0xf0,
0xb6, 0xe1, 0xc6, 0x1a, 0x86, 0x42
};

static unsigned char handshake_secret[] = {
0x5b, 0x4f, 0x96, 0x5d, 0xf0, 0x3c, 0x68, 0x2c, 0x46, 0xe6, 0xee, 0x86, 0xc3,
0x11, 0x63, 0x66, 0x15, 0xa1, 0xd2, 0xbb, 0xb2, 0x43, 0x45, 0xc2, 0x52, 0x05,
0x95, 0x3c, 0x87, 0x9e, 0x8d, 0x06
};

static const char *client_hts_label = "c hs traffic";

static unsigned char client_hts[] = {
0xe2, 0xe2, 0x32, 0x07, 0xbd, 0x93, 0xfb, 0x7f, 0xe4, 0xfc, 0x2e, 0x29, 0x7a,
0xfe, 0xab, 0x16, 0x0e, 0x52, 0x2b, 0x5a, 0xb7, 0x5d, 0x64, 0xa8, 0x6e, 0x75,
0xbc, 0xac, 0x3f, 0x3e, 0x51, 0x03
};

static unsigned char client_hts_key[] = {
0x26, 0x79, 0xa4, 0x3e, 0x1d, 0x76, 0x78, 0x40, 0x34, 0xea, 0x17, 0x97, 0xd5,
0xad, 0x26, 0x49
};

static unsigned char client_hts_iv[] = {
0x54, 0x82, 0x40, 0x52, 0x90, 0xdd, 0x0d, 0x2f, 0x81, 0xc0, 0xd9, 0x42
};

static const char *server_hts_label = "s hs traffic";

static unsigned char server_hts[] = {
0x3b, 0x7a, 0x83, 0x9c, 0x23, 0x9e, 0xf2, 0xbf, 0x0b, 0x73, 0x05, 0xa0, 0xe0,
0xc4, 0xe5, 0xa8, 0xc6, 0xc6, 0x93, 0x30, 0xa7, 0x53, 0xb3, 0x08, 0xf5, 0xe3,
0xa8, 0x3a, 0xa2, 0xef, 0x69, 0x79
};

static unsigned char server_hts_key[] = {
0xc6, 0x6c, 0xb1, 0xae, 0xc5, 0x19, 0xdf, 0x44, 0xc9, 0x1e, 0x10, 0x99, 0x55,
0x11, 0xac, 0x8b
};

static unsigned char server_hts_iv[] = {
0xf7, 0xf6, 0x88, 0x4c, 0x49, 0x81, 0x71, 0x6c, 0x2d, 0x0d, 0x29, 0xa4
};

static unsigned char master_secret[] = {
0x5c, 0x79, 0xd1, 0x69, 0x42, 0x4e, 0x26, 0x2b, 0x56, 0x32, 0x03, 0x62, 0x7b,
0xe4, 0xeb, 0x51, 0x03, 0x3f, 0x58, 0x8c, 0x43, 0xc9, 0xce, 0x03, 0x73, 0x37,
0x2d, 0xbc, 0xbc, 0x01, 0x85, 0xa7
};

static const char *client_ats_label = "c ap traffic";

static unsigned char client_ats[] = {
0xe2, 0xf0, 0xdb, 0x6a, 0x82, 0xe8, 0x82, 0x80, 0xfc, 0x26, 0xf7, 0x3c, 0x89,
0x85, 0x4e, 0xe8, 0x61, 0x5e, 0x25, 0xdf, 0x28, 0xb2, 0x20, 0x79, 0x62, 0xfa,
0x78, 0x22, 0x26, 0xb2, 0x36, 0x26
};

static unsigned char client_ats_key[] = {
0x88, 0xb9, 0x6a, 0xd6, 0x86, 0xc8, 0x4b, 0xe5, 0x5a, 0xce, 0x18, 0xa5, 0x9c,
0xce, 0x5c, 0x87
};

static unsigned char client_ats_iv[] = {
0xb9, 0x9d, 0xc5, 0x8c, 0xd5, 0xff, 0x5a, 0xb0, 0x82, 0xfd, 0xad, 0x19
};

static const char *server_ats_label = "s ap traffic";

static unsigned char server_ats[] = {
0x5b, 0x73, 0xb1, 0x08, 0xd9, 0xac, 0x1b, 0x9b, 0x0c, 0x82, 0x48, 0xca, 0x39,
0x26, 0xec, 0x6e, 0x7b, 0xc4, 0x7e, 0x41, 0x17, 0x06, 0x96, 0x39, 0x87, 0xec,
0x11, 0x43, 0x5d, 0x30, 0x57, 0x19
};

static unsigned char server_ats_key[] = {
0xa6, 0x88, 0xeb, 0xb5, 0xac, 0x82, 0x6d, 0x6f, 0x42, 0xd4, 0x5c, 0x0c, 0xc4,
0x4b, 0x9b, 0x7d
};

static unsigned char server_ats_iv[] = {
0xc1, 0xca, 0xd4, 0x42, 0x5a, 0x43, 0x8b, 0x5d, 0xe7, 0x14, 0x83, 0x0a
};

/* Mocked out implementations of various functions */
int ssl3_digest_cached_records(SSL_CONNECTION *s, int keep)
{
    return 1;
}

static int full_hash = 0;

/* Give a hash of the currently set handshake */
int ssl_handshake_hash(SSL_CONNECTION *s, unsigned char *out, size_t outlen,
                       size_t *hashlen)
{
    if (sizeof(hs_start_hash) > outlen
            || sizeof(hs_full_hash) != sizeof(hs_start_hash))
        return 0;

    if (full_hash) {
        memcpy(out, hs_full_hash, sizeof(hs_full_hash));
        *hashlen = sizeof(hs_full_hash);
    } else {
        memcpy(out, hs_start_hash, sizeof(hs_start_hash));
        *hashlen = sizeof(hs_start_hash);
    }

    return 1;
}

const EVP_MD *ssl_handshake_md(SSL_CONNECTION *s)
{
    return EVP_sha256();
}

void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
{
}

int ssl_cipher_get_evp_cipher(SSL_CTX *ctx, const SSL_CIPHER *sslc,
                                     const EVP_CIPHER **enc)
{
    return 0;
}

int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s,
                       const EVP_CIPHER **enc, const EVP_MD **md,
                       int *mac_pkey_type, size_t *mac_secret_size,
                       SSL_COMP **comp, int use_etm)

{
    return 0;
}

int tls1_alert_code(int code)
{
    return code;
}

int ssl_log_secret(SSL_CONNECTION *sc,
                   const char *label,
                   const uint8_t *secret,
                   size_t secret_len)
{
    return 1;
}

const EVP_MD *ssl_md(SSL_CTX *ctx, int idx)
{
    return EVP_sha256();
}

void ossl_statem_send_fatal(SSL_CONNECTION *s, int al)
{
}

void ossl_statem_fatal(SSL_CONNECTION *s, int al, int reason,
                       const char *fmt, ...)
{
}

int ossl_statem_export_allowed(SSL_CONNECTION *s)
{
    return 1;
}

int ossl_statem_export_early_allowed(SSL_CONNECTION *s)
{
    return 1;
}

void ssl_evp_cipher_free(const EVP_CIPHER *cipher)
{
}

void ssl_evp_md_free(const EVP_MD *md)
{
}

int ssl_set_new_record_layer(SSL_CONNECTION *s, int version, int direction,
                             int level, unsigned char *key, size_t keylen,
                             unsigned char *iv,  size_t ivlen,
                             unsigned char *mackey, size_t mackeylen,
                             const EVP_CIPHER *ciph, size_t taglen,
                             int mactype, const EVP_MD *md,
                             const SSL_COMP *comp)
{
    return 0;
}

/* End of mocked out code */

static int test_secret(SSL_CONNECTION *s, unsigned char *prk,
                       const unsigned char *label, size_t labellen,
                       const unsigned char *ref_secret,
                       const unsigned char *ref_key, const unsigned char *ref_iv)
{
    size_t hashsize;
    unsigned char gensecret[EVP_MAX_MD_SIZE];
    unsigned char hash[EVP_MAX_MD_SIZE];
    unsigned char key[KEYLEN];
    unsigned char iv[IVLEN];
    const EVP_MD *md = ssl_handshake_md(s);

    if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
        TEST_error("Failed to get hash");
        return 0;
    }

    if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
                           gensecret, hashsize, 1)) {
        TEST_error("Secret generation failed");
        return 0;
    }

    if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
        return 0;

    if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
        TEST_error("Key generation failed");
        return 0;
    }

    if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
        return 0;

    if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
        TEST_error("IV generation failed");
        return 0;
    }

    if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
        return 0;

    return 1;
}

static int test_handshake_secrets(void)
{
    SSL_CTX *ctx = NULL;
    SSL *ssl = NULL;
    SSL_CONNECTION *s;
    int ret = 0;
    size_t hashsize;
    unsigned char out_master_secret[EVP_MAX_MD_SIZE];
    size_t master_secret_length;

    ctx = SSL_CTX_new(TLS_method());
    if (!TEST_ptr(ctx))
        goto err;

    ssl = SSL_new(ctx);
    if (!TEST_ptr(ssl) || !TEST_ptr(s = SSL_CONNECTION_FROM_SSL_ONLY(ssl)))
        goto err;

    s->session = SSL_SESSION_new();
    if (!TEST_ptr(s->session))
        goto err;

    if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
                                         (unsigned char *)&s->early_secret))) {
        TEST_info("Early secret generation failed");
        goto err;
    }

    if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
                     early_secret, sizeof(early_secret))) {
        TEST_info("Early secret does not match");
        goto err;
    }

    if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
                                                   sizeof(ecdhe_secret)))) {
        TEST_info("Handshake secret generation failed");
        goto err;
    }

    if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
                     handshake_secret, sizeof(handshake_secret)))
        goto err;

    hashsize = EVP_MD_get_size(ssl_handshake_md(s));
    if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
        goto err;
    if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
        goto err;
    if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
        goto err;

    if (!TEST_true(test_secret(s, s->handshake_secret,
                               (unsigned char *)client_hts_label,
                               strlen(client_hts_label), client_hts,
                               client_hts_key, client_hts_iv))) {
        TEST_info("Client handshake secret test failed");
        goto err;
    }

    if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
        goto err;
    if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
        goto err;
    if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
        goto err;

    if (!TEST_true(test_secret(s, s->handshake_secret,
                               (unsigned char *)server_hts_label,
                               strlen(server_hts_label), server_hts,
                               server_hts_key, server_hts_iv))) {
        TEST_info("Server handshake secret test failed");
        goto err;
    }

    /*
     * Ensure the mocked out ssl_handshake_hash() returns the full handshake
     * hash.
     */
    full_hash = 1;

    if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
                                                s->handshake_secret, hashsize,
                                                &master_secret_length))) {
        TEST_info("Master secret generation failed");
        goto err;
    }

    if (!TEST_mem_eq(out_master_secret, master_secret_length,
                     master_secret, sizeof(master_secret))) {
        TEST_info("Master secret does not match");
        goto err;
    }

    if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
        goto err;
    if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
        goto err;
    if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
        goto err;

    if (!TEST_true(test_secret(s, out_master_secret,
                               (unsigned char *)client_ats_label,
                               strlen(client_ats_label), client_ats,
                               client_ats_key, client_ats_iv))) {
        TEST_info("Client application data secret test failed");
        goto err;
    }

    if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
        goto err;
    if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
        goto err;
    if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
        goto err;

    if (!TEST_true(test_secret(s, out_master_secret,
                               (unsigned char *)server_ats_label,
                               strlen(server_ats_label), server_ats,
                               server_ats_key, server_ats_iv))) {
        TEST_info("Server application data secret test failed");
        goto err;
    }

    ret = 1;
 err:
    SSL_free(ssl);
    SSL_CTX_free(ctx);
    return ret;
}

int setup_tests(void)
{
    ADD_TEST(test_handshake_secrets);
    return 1;
}
Commit	Line	Data
134bfe56	1	/*
4333b89f	2	* Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
134bfe56	3	*
909f1a2e	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
134bfe56 MC	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include <openssl/ssl.h>
	11	#include <openssl/evp.h>
edd689ef	12
706457b7	13	#include "../ssl/ssl_local.h"
134bfe56 MC	14	#include "testutil.h"
	15
	16	#define IVLEN 12
	17	#define KEYLEN 16
	18
d6ce9da4	19	/*
c2969ff6	20	* Based on the test vectors available in:
df443918	21	* https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06
134bfe56 MC	22	*/
	23
	24	static unsigned char hs_start_hash[] = {
d6ce9da4 MC	25	0xc6, 0xc9, 0x18, 0xad, 0x2f, 0x41, 0x99, 0xd5, 0x59, 0x8e, 0xaf, 0x01, 0x16,
	26	0xcb, 0x7a, 0x5c, 0x2c, 0x14, 0xcb, 0x54, 0x78, 0x12, 0x18, 0x88, 0x8d, 0xb7,
	27	0x03, 0x0d, 0xd5, 0x0d, 0x5e, 0x6d
134bfe56 MC	28	};
	29
	30	static unsigned char hs_full_hash[] = {
d6ce9da4 MC	31	0xf8, 0xc1, 0x9e, 0x8c, 0x77, 0xc0, 0x38, 0x79, 0xbb, 0xc8, 0xeb, 0x6d, 0x56,
	32	0xe0, 0x0d, 0xd5, 0xd8, 0x6e, 0xf5, 0x59, 0x27, 0xee, 0xfc, 0x08, 0xe1, 0xb0,
	33	0x02, 0xb6, 0xec, 0xe0, 0x5d, 0xbf
134bfe56 MC	34	};
	35
	36	static unsigned char early_secret[] = {
	37	0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
	38	0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
	39	0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
	40	};
	41
	42	static unsigned char ecdhe_secret[] = {
d6ce9da4 MC	43	0x81, 0x51, 0xd1, 0x46, 0x4c, 0x1b, 0x55, 0x53, 0x36, 0x23, 0xb9, 0xc2, 0x24,
	44	0x6a, 0x6a, 0x0e, 0x6e, 0x7e, 0x18, 0x50, 0x63, 0xe1, 0x4a, 0xfd, 0xaf, 0xf0,
	45	0xb6, 0xe1, 0xc6, 0x1a, 0x86, 0x42
134bfe56 MC	46	};
	47
	48	static unsigned char handshake_secret[] = {
d6ce9da4 MC	49	0x5b, 0x4f, 0x96, 0x5d, 0xf0, 0x3c, 0x68, 0x2c, 0x46, 0xe6, 0xee, 0x86, 0xc3,
	50	0x11, 0x63, 0x66, 0x15, 0xa1, 0xd2, 0xbb, 0xb2, 0x43, 0x45, 0xc2, 0x52, 0x05,
	51	0x95, 0x3c, 0x87, 0x9e, 0x8d, 0x06
134bfe56 MC	52	};
134bfe56 MC	53
1f6359db	54	static const char *client_hts_label = "c hs traffic";
134bfe56 MC	55
134bfe56 MC	56	static unsigned char client_hts[] = {
d6ce9da4 MC	57	0xe2, 0xe2, 0x32, 0x07, 0xbd, 0x93, 0xfb, 0x7f, 0xe4, 0xfc, 0x2e, 0x29, 0x7a,
	58	0xfe, 0xab, 0x16, 0x0e, 0x52, 0x2b, 0x5a, 0xb7, 0x5d, 0x64, 0xa8, 0x6e, 0x75,
	59	0xbc, 0xac, 0x3f, 0x3e, 0x51, 0x03
134bfe56 MC	60	};
	61
	62	static unsigned char client_hts_key[] = {
d6ce9da4 MC	63	0x26, 0x79, 0xa4, 0x3e, 0x1d, 0x76, 0x78, 0x40, 0x34, 0xea, 0x17, 0x97, 0xd5,
d6ce9da4 MC	64	0xad, 0x26, 0x49
134bfe56 MC	65	};
	66
	67	static unsigned char client_hts_iv[] = {
d6ce9da4	68	0x54, 0x82, 0x40, 0x52, 0x90, 0xdd, 0x0d, 0x2f, 0x81, 0xc0, 0xd9, 0x42
134bfe56 MC	69	};
134bfe56 MC	70
1f6359db	71	static const char *server_hts_label = "s hs traffic";
134bfe56 MC	72
134bfe56 MC	73	static unsigned char server_hts[] = {
d6ce9da4 MC	74	0x3b, 0x7a, 0x83, 0x9c, 0x23, 0x9e, 0xf2, 0xbf, 0x0b, 0x73, 0x05, 0xa0, 0xe0,
	75	0xc4, 0xe5, 0xa8, 0xc6, 0xc6, 0x93, 0x30, 0xa7, 0x53, 0xb3, 0x08, 0xf5, 0xe3,
	76	0xa8, 0x3a, 0xa2, 0xef, 0x69, 0x79
134bfe56 MC	77	};
	78
	79	static unsigned char server_hts_key[] = {
d6ce9da4 MC	80	0xc6, 0x6c, 0xb1, 0xae, 0xc5, 0x19, 0xdf, 0x44, 0xc9, 0x1e, 0x10, 0x99, 0x55,
d6ce9da4 MC	81	0x11, 0xac, 0x8b
134bfe56 MC	82	};
	83
	84	static unsigned char server_hts_iv[] = {
d6ce9da4	85	0xf7, 0xf6, 0x88, 0x4c, 0x49, 0x81, 0x71, 0x6c, 0x2d, 0x0d, 0x29, 0xa4
134bfe56 MC	86	};
	87
	88	static unsigned char master_secret[] = {
d6ce9da4 MC	89	0x5c, 0x79, 0xd1, 0x69, 0x42, 0x4e, 0x26, 0x2b, 0x56, 0x32, 0x03, 0x62, 0x7b,
	90	0xe4, 0xeb, 0x51, 0x03, 0x3f, 0x58, 0x8c, 0x43, 0xc9, 0xce, 0x03, 0x73, 0x37,
	91	0x2d, 0xbc, 0xbc, 0x01, 0x85, 0xa7
134bfe56 MC	92	};
134bfe56 MC	93
1f6359db	94	static const char *client_ats_label = "c ap traffic";
134bfe56 MC	95
134bfe56 MC	96	static unsigned char client_ats[] = {
d6ce9da4 MC	97	0xe2, 0xf0, 0xdb, 0x6a, 0x82, 0xe8, 0x82, 0x80, 0xfc, 0x26, 0xf7, 0x3c, 0x89,
	98	0x85, 0x4e, 0xe8, 0x61, 0x5e, 0x25, 0xdf, 0x28, 0xb2, 0x20, 0x79, 0x62, 0xfa,
	99	0x78, 0x22, 0x26, 0xb2, 0x36, 0x26
134bfe56 MC	100	};
	101
	102	static unsigned char client_ats_key[] = {
d6ce9da4 MC	103	0x88, 0xb9, 0x6a, 0xd6, 0x86, 0xc8, 0x4b, 0xe5, 0x5a, 0xce, 0x18, 0xa5, 0x9c,
d6ce9da4 MC	104	0xce, 0x5c, 0x87
134bfe56 MC	105	};
	106
	107	static unsigned char client_ats_iv[] = {
d6ce9da4	108	0xb9, 0x9d, 0xc5, 0x8c, 0xd5, 0xff, 0x5a, 0xb0, 0x82, 0xfd, 0xad, 0x19
134bfe56 MC	109	};
134bfe56 MC	110
1f6359db	111	static const char *server_ats_label = "s ap traffic";
134bfe56 MC	112
134bfe56 MC	113	static unsigned char server_ats[] = {
d6ce9da4 MC	114	0x5b, 0x73, 0xb1, 0x08, 0xd9, 0xac, 0x1b, 0x9b, 0x0c, 0x82, 0x48, 0xca, 0x39,
	115	0x26, 0xec, 0x6e, 0x7b, 0xc4, 0x7e, 0x41, 0x17, 0x06, 0x96, 0x39, 0x87, 0xec,
	116	0x11, 0x43, 0x5d, 0x30, 0x57, 0x19
134bfe56 MC	117	};
	118
	119	static unsigned char server_ats_key[] = {
d6ce9da4 MC	120	0xa6, 0x88, 0xeb, 0xb5, 0xac, 0x82, 0x6d, 0x6f, 0x42, 0xd4, 0x5c, 0x0c, 0xc4,
d6ce9da4 MC	121	0x4b, 0x9b, 0x7d
134bfe56 MC	122	};
	123
	124	static unsigned char server_ats_iv[] = {
d6ce9da4	125	0xc1, 0xca, 0xd4, 0x42, 0x5a, 0x43, 0x8b, 0x5d, 0xe7, 0x14, 0x83, 0x0a
134bfe56 MC	126	};
	127
	128	/* Mocked out implementations of various functions */
38b051a1	129	int ssl3_digest_cached_records(SSL_CONNECTION *s, int keep)
134bfe56 MC	130	{
	131	return 1;
	132	}
	133
	134	static int full_hash = 0;
	135
	136	/* Give a hash of the currently set handshake */
38b051a1	137	int ssl_handshake_hash(SSL_CONNECTION s, unsigned char out, size_t outlen,
134bfe56 MC	138	size_t *hashlen)
	139	{
	140	if (sizeof(hs_start_hash) > outlen
	141	\|\| sizeof(hs_full_hash) != sizeof(hs_start_hash))
	142	return 0;
	143
	144	if (full_hash) {
	145	memcpy(out, hs_full_hash, sizeof(hs_full_hash));
	146	*hashlen = sizeof(hs_full_hash);
	147	} else {
	148	memcpy(out, hs_start_hash, sizeof(hs_start_hash));
	149	*hashlen = sizeof(hs_start_hash);
	150	}
	151
	152	return 1;
	153	}
	154
38b051a1	155	const EVP_MD ssl_handshake_md(SSL_CONNECTION s)
134bfe56 MC	156	{
	157	return EVP_sha256();
	158	}
	159
0d9824c1 MC	160	void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
	161	{
	162	}
	163
9727f4e7 MC	164	int ssl_cipher_get_evp_cipher(SSL_CTX ctx, const SSL_CIPHER sslc,
	165	const EVP_CIPHER **enc)
	166	{
	167	return 0;
	168	}
	169
c8f6c28a MC	170	int ssl_cipher_get_evp(SSL_CTX ctx, const SSL_SESSION s,
	171	const EVP_CIPHER enc, const EVP_MD md,
	172	int mac_pkey_type, size_t mac_secret_size,
	173	SSL_COMP **comp, int use_etm)
92760c21 MC	174
	175	{
	176	return 0;
	177	}
	178
04904312 MC	179	int tls1_alert_code(int code)
	180	{
	181	return code;
	182	}
	183
38b051a1	184	int ssl_log_secret(SSL_CONNECTION *sc,
f1a5939f CB	185	const char *label,
	186	const uint8_t *secret,
	187	size_t secret_len)
	188	{
	189	return 1;
	190	}
	191
c8f6c28a	192	const EVP_MD ssl_md(SSL_CTX ctx, int idx)
d49e23ec MC	193	{
	194	return EVP_sha256();
	195	}
	196
38b051a1	197	void ossl_statem_send_fatal(SSL_CONNECTION *s, int al)
5a2d0ef3 RL	198	{
	199	}
	200
38b051a1 TM	201	void ossl_statem_fatal(SSL_CONNECTION *s, int al, int reason,
38b051a1 TM	202	const char *fmt, ...)
f63a17d6 MC	203	{
	204	}
	205
38b051a1	206	int ossl_statem_export_allowed(SSL_CONNECTION *s)
1f5878b8 TT	207	{
	208	return 1;
	209	}
	210
38b051a1	211	int ossl_statem_export_early_allowed(SSL_CONNECTION *s)
b38ede80 TT	212	{
	213	return 1;
	214	}
	215
c8f6c28a MC	216	void ssl_evp_cipher_free(const EVP_CIPHER *cipher)
	217	{
	218	}
	219
	220	void ssl_evp_md_free(const EVP_MD *md)
	221	{
	222	}
	223
cc110a0a MC	224	int ssl_set_new_record_layer(SSL_CONNECTION *s, int version, int direction,
cc110a0a MC	225	int level, unsigned char *key, size_t keylen,
79eebb08 MC	226	unsigned char *iv, size_t ivlen,
	227	unsigned char *mackey, size_t mackeylen,
	228	const EVP_CIPHER *ciph, size_t taglen,
	229	int mactype, const EVP_MD *md,
	230	const SSL_COMP *comp)
	231	{
	232	return 0;
	233	}
	234
134bfe56 MC	235	/* End of mocked out code */
134bfe56 MC	236
38b051a1	237	static int test_secret(SSL_CONNECTION s, unsigned char prk,
134bfe56 MC	238	const unsigned char *label, size_t labellen,
	239	const unsigned char *ref_secret,
	240	const unsigned char ref_key, const unsigned char ref_iv)
	241	{
ace081c1	242	size_t hashsize;
134bfe56	243	unsigned char gensecret[EVP_MAX_MD_SIZE];
ace081c1	244	unsigned char hash[EVP_MAX_MD_SIZE];
134bfe56 MC	245	unsigned char key[KEYLEN];
134bfe56 MC	246	unsigned char iv[IVLEN];
ec15acb6	247	const EVP_MD *md = ssl_handshake_md(s);
134bfe56	248
ace081c1	249	if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
2fae041d	250	TEST_error("Failed to get hash");
ace081c1 MC	251	return 0;
	252	}
	253
a19ae67d	254	if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
0fb2815b	255	gensecret, hashsize, 1)) {
2fae041d	256	TEST_error("Secret generation failed");
134bfe56 MC	257	return 0;
	258	}
	259
2fae041d	260	if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
134bfe56	261	return 0;
134bfe56	262
d49e23ec	263	if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
2fae041d	264	TEST_error("Key generation failed");
134bfe56 MC	265	return 0;
	266	}
	267
2fae041d	268	if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
134bfe56	269	return 0;
134bfe56	270
d49e23ec	271	if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
2fae041d	272	TEST_error("IV generation failed");
134bfe56 MC	273	return 0;
	274	}
	275
2fae041d	276	if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
134bfe56	277	return 0;
134bfe56 MC	278
	279	return 1;
	280	}
	281
	282	static int test_handshake_secrets(void)
	283	{
	284	SSL_CTX *ctx = NULL;
38b051a1 TM	285	SSL *ssl = NULL;
38b051a1 TM	286	SSL_CONNECTION *s;
134bfe56 MC	287	int ret = 0;
	288	size_t hashsize;
	289	unsigned char out_master_secret[EVP_MAX_MD_SIZE];
	290	size_t master_secret_length;
	291
	292	ctx = SSL_CTX_new(TLS_method());
2fae041d	293	if (!TEST_ptr(ctx))
134bfe56 MC	294	goto err;
134bfe56 MC	295
38b051a1 TM	296	ssl = SSL_new(ctx);
38b051a1 TM	297	if (!TEST_ptr(ssl) \|\| !TEST_ptr(s = SSL_CONNECTION_FROM_SSL_ONLY(ssl)))
134bfe56 MC	298	goto err;
134bfe56 MC	299
ec15acb6	300	s->session = SSL_SESSION_new();
2fae041d	301	if (!TEST_ptr(s->session))
ec15acb6 MC	302	goto err;
ec15acb6 MC	303
2fae041d P	304	if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
	305	(unsigned char *)&s->early_secret))) {
	306	TEST_info("Early secret generation failed");
134bfe56 MC	307	goto err;
	308	}
	309
2fae041d P	310	if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
	311	early_secret, sizeof(early_secret))) {
	312	TEST_info("Early secret does not match");
134bfe56 MC	313	goto err;
	314	}
	315
2fae041d P	316	if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
2fae041d P	317	sizeof(ecdhe_secret)))) {
44e69951	318	TEST_info("Handshake secret generation failed");
134bfe56 MC	319	goto err;
	320	}
	321
2fae041d P	322	if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
2fae041d P	323	handshake_secret, sizeof(handshake_secret)))
134bfe56	324	goto err;
134bfe56	325
ed576acd	326	hashsize = EVP_MD_get_size(ssl_handshake_md(s));
2fae041d P	327	if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
	328	goto err;
	329	if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
	330	goto err;
	331	if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
134bfe56	332	goto err;
134bfe56	333
2fae041d P	334	if (!TEST_true(test_secret(s, s->handshake_secret,
	335	(unsigned char *)client_hts_label,
	336	strlen(client_hts_label), client_hts,
	337	client_hts_key, client_hts_iv))) {
	338	TEST_info("Client handshake secret test failed");
134bfe56 MC	339	goto err;
	340	}
	341
2fae041d P	342	if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
	343	goto err;
	344	if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
	345	goto err;
	346	if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
134bfe56	347	goto err;
134bfe56	348
2fae041d P	349	if (!TEST_true(test_secret(s, s->handshake_secret,
	350	(unsigned char *)server_hts_label,
	351	strlen(server_hts_label), server_hts,
	352	server_hts_key, server_hts_iv))) {
	353	TEST_info("Server handshake secret test failed");
134bfe56 MC	354	goto err;
	355	}
	356
	357	/*
	358	* Ensure the mocked out ssl_handshake_hash() returns the full handshake
	359	* hash.
	360	*/
	361	full_hash = 1;
	362
2fae041d P	363	if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
	364	s->handshake_secret, hashsize,
	365	&master_secret_length))) {
	366	TEST_info("Master secret generation failed");
134bfe56 MC	367	goto err;
	368	}
	369
2fae041d P	370	if (!TEST_mem_eq(out_master_secret, master_secret_length,
	371	master_secret, sizeof(master_secret))) {
	372	TEST_info("Master secret does not match");
134bfe56 MC	373	goto err;
	374	}
	375
2fae041d P	376	if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
	377	goto err;
	378	if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
	379	goto err;
	380	if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
134bfe56	381	goto err;
134bfe56	382
2fae041d P	383	if (!TEST_true(test_secret(s, out_master_secret,
	384	(unsigned char *)client_ats_label,
	385	strlen(client_ats_label), client_ats,
	386	client_ats_key, client_ats_iv))) {
	387	TEST_info("Client application data secret test failed");
134bfe56 MC	388	goto err;
	389	}
	390
2fae041d P	391	if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
	392	goto err;
	393	if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
	394	goto err;
	395	if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
134bfe56	396	goto err;
134bfe56	397
2fae041d P	398	if (!TEST_true(test_secret(s, out_master_secret,
	399	(unsigned char *)server_ats_label,
	400	strlen(server_ats_label), server_ats,
	401	server_ats_key, server_ats_iv))) {
	402	TEST_info("Server application data secret test failed");
134bfe56 MC	403	goto err;
	404	}
	405
	406	ret = 1;
	407	err:
38b051a1	408	SSL_free(ssl);
134bfe56 MC	409	SSL_CTX_free(ctx);
	410	return ret;
	411	}
	412
3cb7c5cf	413	int setup_tests(void)
134bfe56	414	{
134bfe56	415	ADD_TEST(test_handshake_secrets);
ad887416	416	return 1;
134bfe56	417	}